The Sangoma FreePBX Safety Staff has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts techniques with an administrator management panel (ACP) uncovered to the general public web.
FreePBX is an open-source personal department alternate (PBX) platform broadly utilized by companies, name facilities, and repair suppliers to handle voice communications. It is constructed on prime of Asterisk, an open-source communication server.
The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS rating of 10.0, indicating most severity.
“Insufficiently sanitized user-supplied knowledge permits unauthenticated entry to FreePBX Administrator, resulting in arbitrary database manipulation and distant code execution,” the mission maintainers mentioned in an advisory.
The difficulty impacts the next variations –
- FreePBX 15 prior to fifteen.0.66
- FreePBX 16 previous to 16.0.89, and
- FreePBX 17 previous to 17.0.3
Sangoma mentioned an unauthorized person started accessing a number of FreePBX model 16 and 17 techniques linked to the web beginning on or earlier than August 21, 2025, particularly those who have insufficient IP filtering or entry management lists (ACLs), by profiting from a sanitization difficulty within the processing of user-supplied enter to the business “endpoint” module.
The preliminary entry obtained utilizing this technique was then mixed with different steps to doubtlessly acquire root-level entry on the goal hosts, it added.
In gentle of lively exploitation, customers are suggested to improve to the newest supported variations of FreePBX and prohibit public entry to the administrator management panel. Customers are additionally suggested to scan their environments for the next indicators of compromise (IoCs) –
- File “/and many others/freepbx.conf” just lately modified or lacking
- Presence of the file “/var/www/html/.clear.sh” (this file mustn’t exist on regular techniques)
- Suspicious POST requests to “modular.php” in Apache net server logs relationship again to no less than August 21, 2025
- Telephone calls positioned to extension 9998 in Asterisk name logs and CDRs are uncommon (except beforehand configured)
- Suspicious “ampuser” person within the ampusers database desk or different unknown customers
“We’re seeing lively exploitation of FreePBX within the wild with exercise traced again so far as August 21 and backdoors being dropped post-compromise,” watchTowr CEO Benjamin Harris mentioned in a press release shared with The Hacker Information.
“Whereas it is early, FreePBX (and different PBX platforms) have lengthy been a favourite searching floor for ransomware gangs, preliminary entry brokers and fraud teams abusing premium billing. If you happen to use FreePBX with an endpoint module, assume compromise. Disconnect techniques instantly. Delays will solely enhance the blast radius.”
Replace
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added CVE-2025-57819 to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) businesses to use the fixes by September 19, 2025.
“Sangoma FreePBX incorporates an authentication bypass vulnerability as a consequence of insufficiently sanitized user-supplied knowledge permits unauthenticated entry to FreePBX Administrator resulting in arbitrary database manipulation and distant code execution,” the company mentioned.
